Brief Summary

In this section is described how to test an Oracle DB from the web.

Description of the Issue

Web based PL/SQL applications are enabled by the PL/SQL Gateway - it is the component that translates web requests into database queries. Oracle has developed a number of different software implementations however ranging from the early web listener product to the Apache mod_plsql module to the XML Database (XDB) web server. All have their own quirks and issues each of which will be thoroughly investigated in this paper. Products that use the PL/SQL Gateway include, but are not limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB, WebDB and Oracle Application Server.

Black Box testing and example

Understanding how the PL/SQL Gateway works
Essentially the PL/SQL Gateway simply acts as a proxy server taking the user's web request and passing it on to the database server where it is executed.

1) Web server accepts request from a web client and determines it should be processed by the PL/SQL Gateway
2) PL/SQL Gateway processes request by extracting the requested package name and procedure and variables
3) Requested package and procedure is wrapped in a block on anonymous PL/SQL and sent to the database server.
4) Database server executes the procedure and sends the results back to the Gateway as HTML
5) Gateway via the web server sends response back to the client

Understaning this is important - the PL/SQL code does not exist on the web server but, rather, in the database server. This means that any weaknesses in the PL/SQL Gateway or any weaknesses in the PL/SQL application, when exploited, give an attacker direct access to the database server - no amount of firewalls will prevent this.

URLs for PL/SQL web applications are normally easily recognizable and generally start with the following (xyz can be any string and represents a Database Access Descriptor, which you will learn more about later):

While the second and third of these examples represent URLs from older versions of the PL/SQL Gateway, the first is from more recent versions running on Apache. In the plsql.conf Apache configuration file, /pls is the default, specified as a Location with the PLS module as the handler. The location need not be /pls, however. The absence of a file extension in a URL could indicate the presence of the Oracle PL/SQL Gateway. Consider the following URL:

http://www.server.com/aaa/bbb/xxxxx.yyyyy

If xxxxx.yyyyy were replaced with something along the lines of “ebank.home,” “store.welcome,” “auth.login,” or “books.search,” then there’s a fairly strong chance that the PL/SQL Gateway is being used. It is also possible to precede tha requested package and procedure with the name of the user that owns it - i.e. the schema - in this case the user is "webuser":

http://www.server.com/pls/xyz/webuser.pkg.proc

In this URL, xyz is the Database Access Descriptor, or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, and so on. These DADs are specified in the dads.conf Apache configuration file in more recent versions or the wdbsvr.app file in older versions. Some default DADs include the following:

Determining if the PL/SQL Gateway is running
When performing an asssessment against a server it's important first to know what technology you're actually dealing with. If you don't already know, for example in a black box assessment scenario, then the first thing you need to do is work this out. Recognizing a web based PL/SQL application is pretty easy. Firstly there is the format of the URL and what it looks like, discussed above. Beyond that there are a set of simple tests that can be performed to test for the existence of the PL/SQL Gateway.

Server response headers
The web server's response headers are a good indicator as to whether the server is running the PL/SQL Gateway. The table below lists some of the typical server response headers:

The FAILED_LOGIN_ATTEMPTS parameter is used to limit to the number of failed login attempts allowed before a user account is locked by the data base.

FAILED_LOGIN_ATTEMPTS can be set to a specific number of attempts; to UNLIMITED (never lock an account), to DEFAULT, which refers to the value indicated in the DEFAULT profile.

Setting this value reduces the potential success of a brute force attack and alerts. Once an account is locked it can not be logged into for a defined number of days or until the administrator unlocks the account.